One challenge in Joomla! is ensuring that certain PHP files in public_html (or otherwise known as httdocs/www depending on your server setup) containing executable code or confidential data are protected from direct Internet access.

One challenge in Joomla! is ensuring that certain PHP files in public_html (or otherwise known as httdocs/www depending on your server setup) containing executable code or confidential data are protected from direct Internet access.

−

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as [Gallery2] and [Apache.org] strongly recommend against keeping vulnerable files and confidential data inside public_html.

+

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as [http://gallery.menalto.com/ Gallery2] and [http://www.apache.org/ Apache.org] strongly recommend against keeping vulnerable files and confidential data inside public_html.

The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

Line 27:

Line 30:

</pre>

</pre>

−

Important!

+

'''Important!'''

Do not include blank lines or any characters (including blank spaces) before the php start tag or after the php end tag. If you make this mistake, you very likely will see the following error.

Do not include blank lines or any characters (including blank spaces) before the php start tag or after the php end tag. If you make this mistake, you very likely will see the following error.

−

Quote:

+

<pre>

Warning: Cannot modify header information - headers already sent by (output started at

Warning: Cannot modify header information - headers already sent by (output started at

/home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250

/home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250

−

+

</pre>

4. Make sure the new configuration.php file is set to permissions of 644.

4. Make sure the new configuration.php file is set to permissions of 644.

−

Warning!!

+

'''Warning!!'''

If you need to change configuration settings, do so manually by downloading the relocated joomla.conf file, making the needed edits and uploading it back.

If you need to change configuration settings, do so manually by downloading the relocated joomla.conf file, making the needed edits and uploading it back.

Line 42:

Line 45:

Do not use the Joomla web administrator interface global configuration button to edit the global configuration.

Do not use the Joomla web administrator interface global configuration button to edit the global configuration.

−

Editing and saving/applying the edits to the global configuration in the Joomla web administration interface will overwrite the 3 line configuration.php file pointing to the real configuration file with the real configuration.php file contents. This will undo your efforts to move and protect the configuration.php file by placing it in a directory outside of public_html.

+

+

== Editing and saving/applying ==

+

+

The edits to the global configuration in the Joomla web administration interface will overwrite the 3 line configuration.php file pointing to the real configuration file with the real configuration.php file contents. This will undo your efforts to move and protect the configuration.php file by placing it in a directory outside of public_html.

Revision as of 20:05, 12 December 2009

Moving sensitive files outside the public_html

One challenge in Joomla! is ensuring that certain PHP files in public_html (or otherwise known as httdocs/www depending on your server setup) containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, but most are not optimal. Many users and developer groups, such as Gallery2 and Apache.org strongly recommend against keeping vulnerable files and confidential data inside public_html.

The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site. Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.

Directions

1.Create a directory in your domain outside of your public_html directory. You can name it anything you want. We used the name design2-files for the directory name in this example. Note: If you have multiple Joomla installs then each Joomla install you have should have it's own directory outside of public_html to contain it's configuration.php file.

2. Move configuration.php to the design2-files directory and rename it whatever you want. We used the name joomla.conf for the configuration file in this example.

3. If your Joomla site is installed in the root of the public_html directory and not in a subdirectory under public_html, then create a new configuration.php file for your joomla install in the public_html directory containing only the following code:

Important! Do not include blank lines or any characters (including blank spaces) before the php start tag or after the php end tag. If you make this mistake, you very likely will see the following error.

Warning: Cannot modify header information - headers already sent by (output started at
/home/xxxxx/public_html/configuration.php:2) in /home/xxxxx/public_html/index.php on line 250

4. Make sure the new configuration.php file is set to permissions of 644.

Warning!!

If you need to change configuration settings, do so manually by downloading the relocated joomla.conf file, making the needed edits and uploading it back.

Do not use the Joomla web administrator interface global configuration button to edit the global configuration.

Editing and saving/applying

The edits to the global configuration in the Joomla web administration interface will overwrite the 3 line configuration.php file pointing to the real configuration file with the real configuration.php file contents. This will undo your efforts to move and protect the configuration.php file by placing it in a directory outside of public_html.